You should use a function called mysql_real_escape_string which will help to prevent SQL Injection attacks when dealling with data that gets sent to a database, such as login forms. Also you should use a function called strip_tags too to stop HTML/javascript from being entered in to your forms too.

Other functions you should use htmlentied / htmlspecialchars, addslashes